What the Cyber Essentials update means for FM and support service contracts
Cyber risk is no longer just an IT issue.
For many organisations, it now sits inside the building itself – in access control, CCTV, cloud-based visitor systems, smart devices, contractor apps and building management platforms.
That is why the latest Cyber Essentials update matters far beyond the IT team.
What has changed?
The UK’s Cyber Essentials scheme was updated on 27 April 2026. Two of the biggest changes are simple but important.
First, high risk and critical security updates now need to be applied within 14 days.
Second, multi-factor authentication is now required for all cloud services where it is available.
This is a real tightening of expectations. It moves cyber compliance away from general good practice and closer to a test of whether day to day controls are actually working.
Why this matters for FM and operations
Facilities management now depends on connected systems.
That can include:
- CCTV and access control
- Visitor and contractor management tools
- Cloud email and shared files
- Smart sensors and monitoring systems
- Mobile devices used by supervisors and site teams
If patching is late or cloud access is weak, the risk is not just technical. It can become operational.
That could mean:
- Loss of access to systems
- Disruption to building services
- Exposure of site or visitor data
- Supply chain failures
- Contract risk
For FM teams, this means cyber resilience is now part of service assurance.
What this means for small businesses
For smaller businesses, the biggest risk is assuming this only applies to large organisations.
It does not.
Smaller firms often rely on cloud tools, shared mobile devices and third party systems. That means the new rules may apply immediately, especially around MFA and software updates.
The good news is that the first steps are practical:
- Turn on MFA
- Review all cloud services
- Tighten patching routines
- Check what devices are still unsupported
What this means for medium and large organisations
For larger organisations, the challenge is scale and consistency.
Across multiple sites, you need to know:
- Which systems are connected
- Who has access
- How quickly patches are applied
- Whether suppliers are working to the same standard
This is especially important where FM, security, helpdesk and property systems overlap.
What this means for public sector buyers and contractors
This story matters even more if you work in or around public sector procurement.
Cyber Essentials is already a common expectation in supply chains, and TechRadar notes it is mandatory for public sector suppliers handling sensitive data. That means some organisations may now face contract risk if they do not keep up with the new rules.
For buyers, this is a reminder to check supplier readiness.
For contractors, it is a reminder that cyber controls now affect commercial credibility, not just IT hygiene.
What to check now
Start with five practical checks:
- MFA: Is it enabled on every cloud service where available?
- Patching: Can high-risk and critical updates be applied within 14 days?
- Devices: Are any old phones, laptops or smart systems still unsupported?
- Access: Do ex-staff, ex-contractors or shared accounts still have access?
- Suppliers: Are third-party FM and technology partners working to the same standard?
Where TPMG FM fits in
At TPMG FM, this is part of the wider move towards controlled, modern service delivery.
Today, FM is not just about cleaning, waste, safety and mobilisation. It is also about how operational systems, people and suppliers work together securely.
As buildings become more connected, clients need service partners who understand that resilience now includes digital resilience too.
If your organisation is reviewing supplier controls, smart building risks or public sector contract readiness, TPMG FM can help you build a more controlled and future ready operating model.
